In one of my other articles “Accessing Exchange Online Objects” I outlined how you can interact with these objects. When you need to scope apps with application permissions to a subset of mailboxes, we can use ApplicationAccessPolicies as outlined here by Microsoft.
As of today, only the following permissions are supported by these policies:
- ReadNote: There is no support for Exchange Web Services (EWS), Exchange ActiveSync (EAS) or IMAP4!
Whenever you configure an app with application permissions, you will need a user with Global Admin role assigned to grant admin consent. Application Administrator or Cloud Application Administrator role is not sufficient as those roles cannot grant admin consent for Microsoft Graph and Azure AD Graph as outlined here.
Now think of larger companies, with several teams or that follow the security principals and perform segregation of duties.
You will most likely have a different account for a Global Admin than for the Exchange Administrator. Or the natural person with Global Admin role, has no knowledge on how to create an ApplicationAccessPolicy in Exchange Online (which is absolutely fine!).
Can you see the dilemma? Wouldn’t it be perfect to grant a subset of administrators with Exchange Administrator roles the permission to grant admin consent ONLY for certain permissions? This would disburden the Global Administrator from this task.
There is currently a preview available, which allows Custom administrator roles in Azure Active Directory. The details are explained here, but the interesting part for our scenario is described here:
You can create a PermissionGrantPolicy and add this as RolePermission to your custom role.
To create a custom role with the specific settings, you need to use the AzureADPreview PowerShell module.
First, we need to sign-in with Global Admin privileges to create the necessary settings:
- Get the SPN for Microsoft GraphThis sounds like a lot of things you have to care about, but with PowerShell it’s not too difficult. Here’s the code for the steps above.
Get Microsoft Graph SPN and IDs for supported permissions:
Create policy, condition set and create the custom role, which contains all information:
In the final step assign the role to a user:
The assignment using New-AzureADMSRoleAssignment will result in a permanent role-assignment. If you are using Azure AD Privileged Identity Management (PIM) use the following code:
With this you should be good to go, but there are a few things to mention:
I hope the scenario described above will help you. If this doesn't exactly match your needs, you might still want to have a look into these capabilities and modify the code as needed.
ENow’s Office 365 Monitoring solution is like your own personal outage detector that pertains solely to you environment. ENow’s solution monitors all crucial components including your hybrid servers, the network, and Office 365 from a single pane of glass. Knowing immediately when a problem happens, where the fault lies, and why the issue has occurred, ensures that any outages are detected and solved as quickly as possible.